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Abstract 

We show that a black-box construction of a pseudorandom generator from a one-way function 
needs to make ft( l " ^ ) calls to the underlying one-way function. The bound even holds if the 
one-way function is guaranteed to be regular. In this case it matches the best known construction 
due to Goldreich, Krawczyk, and Luby (SIAM J. Comp. 22, 1993), which uses O( log " n ) ) calls. 
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1 Introduction 

1.1 One-way functions and pseudorandom generators 

Starting with the seminal works by Yao |Yao82j . and Blum and Micali [BM84], researchers have 
\^ [ studied the relationship between various cryptographic primitives, such as one-way functions, pseu- 

f""""- ' dorandom generators, pseudorandom functions, and so on, producing a wide variety of results. One 

particular task which was achieved was the construction of pseudorandom generators from one-way 
• | functions, a task which has a history on its own. First, it was shown that one-way permutations 

imply pseudorandom generators [Lev87} IGL89] . Later, the result was extended to regular one-way 
£Sj ■ functions |GKL93| , and finally it was shown that arbitrary one-way functions imply pseudorandom 

generators [HILL99] . 

Unfortunately, the constructions given in [GKL93] and [HILL99] are relatively inefficient (even 
though they run in polynomial time). Suppose we instantiate the construction given in |GKL93| 
$_i . with a regular one-way functions taking n bits to n bits. Then, it yields a pseudorandom gener- 

ator whose input is of length 0(n 3 ) and calls the underlying one-way function 0(n) times. The 
parameters in [HILL99] are worse: if we instantiate the construction with an (arbitrary) one-way 
function taking n bits to n bits, we obtain a pseudorandom generator which needs 0(n 8 ) bits of 
input, and which does around! @(n 12 ) calls to /. The parameters of the security reduction are also 
very weak. 

Naturally, many papers improve the efficiency of these results: [HHR06aJ IH0IO6] show that 
the result of [HILL99] can be achieved with a more efficient reduction in case one assumes that 
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the underlying one-way function has stronger security than the usual polynomial time security. 
[HHR06b] reduces the input length of the pseudorandom generator in |GKL93j to 6(nlog(n)). 
Also it reduces the input length in [H ILL99] by a factor of G(n), and the number of calls by 
a factor of ©(n 3 ). Most impressive, [HRV10] reduces the seed length to 0(n 4 ) and the number 
of calls to 0(ra 3 ), for the construction of a pseudorandom generator from an arbitrary one-way 
function. Finally, |VZ12j reduce the seed length in this last construction to 0(n 3 ). 

We remark that the main focus on the efficiency has been on reducing the seed length. This 
is reasonable, as (private) randomness is probably the most expensive resourcell Nevertheless, one 
would like both the seed length and the number of calls to be as small as possible. 

1.2 Black-box separations 

After |BM841 IYao82j , it was natural to try and prove that one-way functions do imply seemingly 
stronger primitives, such as key agreement. However, all attempts in proving this failed, and so 
researchers probably wondered (for a short moment) whether in fact one-way functions do not 
imply key agreement. A moment of thought reveals that this is unlikely to be true: key-agreement 
schemes seem to exist, and so in fact we believe that — consider the following as a purely logical 
statement — one-way functions do imply key-agreement. 

A way out of the dilemma was found by Impagliazzo and Rudich in a break through work |IR89j . 
They observed that the proofs of most results such as "one-way functions imply pseudorandom 
generators" are, in fact, much stronger. In particular, the main technical part of [HILL99] shows 
that there exists oracle algorithms g^> and J 4( Breaker >/) with the following two properties: 

• For any oracle, g(f' is an expanding function. 

• For any two oracles (Breaker,/), if Breaker distinguishes the output of from a random 
string, then J 4( Brcakcr ./) inverts /. 

Impagliazzo and Rudich then showed that the analogous statement for the implication "one-way 
functions imply key-agreement" is simply wrong, giving the first "black-box separation" . 

After the paper of Impagliazzo and Rudich, many more black box separations have been given 
(too many to list them all). We use techniques from several papers: in order to prove that there is 
no black-box construction of collision resistant hash-functions from one-way permutations, Simon 
[Sim98j introduced the method of giving specific oracles which break the primitive to be constructed. 
Such oracles (usually called Breaker) are now widely used, including in this paper. Gennaro et 
al. [GGKT05] developed an "encoding paradigma", a technique which allows to give very strong 
black-box separations, even excluding non-uniform security reductions. This encoding paradigma 
has first been combined with a Breaker oracle in [HHRS07]. In [HH09] a slightly different extension 
of [Sim98] is used: their technique analyzes how Breaker behaves in case one modifies the given 
one-way permutation on a single randomly chosen input. We also use this method. 

Some black box separation results are (as we are) concerned with the efficiency of constructing 
pseudorandom generators. Among other things, Gennaro et al. |GGKT05| show that in order to 

3 We would like to mention that in part this focus also seems to come from the (somewhat arbitrary) fact that 
people usually set the security parameter equal to the input length. For example, suppose we have a one-way function 
from n to n bits with security 2 n//10 ° (meaning that in time 2™/ 100 one can invert / only with probability 2~"/ 100 ). 
If a construction now yields a pseudorandom generator with m = n 2 bits of input, the security can at most be 
2%/m/ioo p 0m £ j£ becomes tempting to argue that because m h-> 2^™ //10 ° is a much slower growing function 

than n h-> 2 n/100 , it is crucial to make the input length as small as possible. However, if one introduces a security 
parameter k, both primitives could have security roughly 2 fc . Arguing over the function which maps the input length 
to the security is not a priori a good idea. 
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get a pseudorandom generator which expands the input by t bits, a black-box construction needs 
to do at least fi(t/log(n)) calls to the underlying one-way function (this matches the combination 
of Goldreich-Levin |GL89j with the extension given in Goldreich-Goldwasser-Micali [GGM86] ). In 
[Vio05] . Viola shows that in order for a black-box construction to expand the input by t bits, it needs 
to do at least one of (a) adaptive queries, (b) sequential computation, or (c) use Q(t -nlog(m)) bits 
of input, when the underlying one-way function maps n to m bits. This result has been somewhat 
strengthened by Lu |Lu06] . The papers |BJPllllMVTT] both study how much the stretch of a given 
generator can be enlarged, as long as the queries to the given generator are non-adaptive. 

1.3 Contributions of this paper 

A natural question to ask is: "what is the minimum seed length and the minimal number of calls 
needed for a black-box construction of a pseudorandom generator from a one-way function?" 

To the best of our knowledge, it is consistent with current knowledge that a construction has 
seed length 0(n) and does a single call to the underlying one-way function (however, recall that 
[GGKT05] show that in order to get a stretch of t bits, at least Q(t/ log(n)) calls need to be made). 

The reason why no stronger lower bounds are known seems to be that from a one-way permuta- 
tion it is possible to get a pseudorandom generator very efficiently by the Goldreich-Levin theorem 
[GL89j : the input length only doubles, and the construction calls the underlying one-way permuta- 
tion once. Also, almost all black-box separation results which prove that a primitive is unachievable 
from one-way functions also apply to one-way permutations. The only exceptions to this rule we 
are aware of is given by [Rud 88, KS Sllj where it is shown that one-way permutations cannot be 
obtained from one-way functions, and |MMllj . where this result is strengthened. However, both 
these results use a technique which does not seem to apply if one wants to give lower bounds on 
the efficiency of the construction of pseudorandom generators 

One should note that a very efficient construction of a pseudorandom generator from a one-way 
function might have implications for practice: it is not inconceivable that in this case, practical 
symmetric encryption could be based on a one-way function, at least in some special cases where 
one would like a very high guarantee on the security. 

We show in this paper than any construction must make at least ^ d JLs ) calls to the underlying 
one-way function. While this bound is interesting even for arbitrary one-way functions, it turns 
out that our proof works with some additional work even if the one-way function is guaranteed to 
be regular. In this case, the number of calls matches the parameters in |GKL93| (and recall that 
the length of the seed has been reduced to 0(rak>g(n)) in [HHR06b], with the same number of calls 
to the one-way function). 

In our theorem, we exclude a fully black-box reduction, using the terminology of [ RTV04] . In 
fact, we give three results. 

In our first result, we assume that the construction g(-) when used with security parameter k 
only calls the underlying one-way function with the same security parameter k. We believe that 
this is a natural assumption, as all constructions we know have this property, and the underlying 
input length is not immediately defined if g makes calls to f(k, ■) for various values of k. The result 
is stated in Theorem [5l 

Next, we study black-box constructions with the same restriction, but where the security re- 
duction is non-uniform. These can be handled with the technique from [GGKT05] . and in our case 
it yields Theorem [6l 

Finally, we remove the restriction that the construction calls the underlying function with a 
fixed security parameter. This gives Theorem [71 However, one needs to be careful somewhat, since 

4 Both proofs use the fact that a one-way permutation satisfies g(v) g(v') for any v 7^ v crucially. 
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in this case, the construction calls the given one-way function on a number of input lengths n, and 
thus already the expression f2(ra/ log(ra)) in our lower bound needs to be specified more exactly. 
Our theorem uses the shortest input length of any call to / (i.e., our lower bound is weakest possible 
in this case). Also, we remark that this last bound does not exclude the construction of "infinitely 
often pseudorandom generators", which are secure only for infinitely many security parameters. 

2 The Main Theorem 

We think of a one-way function as a family {fk}k>0i indexed by some security parameter k. The 
function f k then takes as input a bitstring of length n(k), and outputs a bitstring of length n'(k). 
Usually, the case n(k) = n'(k) = k is considered in the literature. We want to distinguish n 
and k here, as we hope this makes the discussion clearer. However, we will still require that n is 
polynomially related to kE 

Definition 1. A function n(k) : N — > N is a length function if there exists c £ N such that 
k l / c < n{k) < k c , n(k) can be computed in time k c , and n(k + 1) > n{k) for any k. 

In general, the length n(k) of the input of a one-way function differs from the length n'(k) of 
the output. In case n(k) > n'(k), it is shown in |DHR08| how to obtain a "public-coin collection of 
one-way functions", where both the input and the output length are n'(k). Such a collection can 
be used with known constructions to get a pseudorandom generator, and the number of calls will 
only depend on n'{k). In case n(k) < n'{k), it is easy to see that one can also get a"public-coin 
collection of one-way functions" with input and output length 2n(k). 

Therefore, we can restrict ourselves to the case n(k) = n'(k), and see that otherwise, the 
parameter min(n(/c), n'(fe)) is the quantity of relevance to us. 

Definition 2. A one-way function / = {fk}k>o is a family of functions fk ■ {0, l} n ( fc ) — > {0, l} n ( fc ), 
computable in time poly (A;), such that for any algorithm A running in time poly(fc) the function 
mapping k to 

Pv[A(k, f k (x)) inverts f k ) (1) 

x,A 

is negligible in kE 

A pseudorandom generator g = {gk}k>o *s a family of polynomial time computable functions 
gk '■ {0, l} m ( fe ) — >■ {0, l} m with m'(k) > m{k) and such that any algorithm B running in time 
poly(fc) 

Pr[B(k,g k (v)) = 1] - Pr[B(k,w) = 1] (2) 

v,B w,B 

is negligible in k. 

We next define fully black-box constructions, but only for the special case of importance to us. 
Note that we assume that the underlying one way function is regular (a function family {fk}k>o is 
regular if \{x' : fk(x') = fk(x)}\ only depends on k and not on x). 

5 The requirement that n{k) < k c is implicit in the definition of one-way functions, as otherwise the one-way 
function cannot be evaluated in time polynomial in k. The requirement n(k) > k c is different, however. For example, 
suppose a family {fk}k>o can be evaluated in time k ^ and has n(k) = log 2 (n). Also, suppose that is a one-way 
function in the sense that in time k°^ it cannot be inverted with probability k~°^ < 2 _ V™W_ jf / i s additionally 
regular, fewer than Sl(n/log(n)) calls are sufficient to construct a pseudorandom generator. 

6 We say that "A(fk{x)) inverts fk" if fk(A(fk(x))) = fk(x), and write A below the symbol Pr to indicate that 
the probability is also over any randomness A may use. We also assume it is clear that x is picked from {0, l}"( fe '. 
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Definition 3. A fully black-box construction of a pseudorandom generator from a regular one-way 
function consists of two oracle algorithms (g, A) . The construction g(f ) is a polynomial time oracle 
algorithm which provides, for each length function n(k) and each £, a function gi : {0, l} m W — > 
{0, l} m 'W with m'{£) > m(£). For this, g may call f as an oracle. 

Further, the security reduction A^'''\k,-,-) is a poly (k, |) -time oracle algorithm such that for 
any regular function f , any inverse polynomial function e{£), and any oracle Breaker for which 

Pr [Breaker^, g t (v)) = 1] - Pr [Breaker(£, w) = 1] > e(£) (3) 

v, Breaker ui, Breaker 



for infinitely many £, then 



is non-negligible. 



Pr T^(BreaW) (M £ ))/fc(x)) mverts /fc] (4) 
x.A 



In a large part of the paper we restrict ourselves to the (most interesting) case where g only 
calls / on a single security parameter. 

Definition 4. A black-box construction is security parameter restricted ifg(k,-) only calls f(k,-) 
and A(k, •) only calls Breaker(/c, •) and f(k, •) for any k. 

Our main contribution is the following theorem: 

Theorem 5. Let n(k),r(k) € poly(/c) be computable in time poly(fc), and assume that r(k) 6 
°( log(n(fc)) )• ^ ere exists no security parameter restricted fully black-box construction of a pseudo- 
random generator from a one-way function which has the property that g(k, v) does at most r(k) 
calls to f(k, ■). 

The above discussion assumes that the adversary is uniform (i.e., there is a single adversary 
A('>' with oracle access to / and Breaker). However, many black-box results even work in case that 
A can be a non-uniform circuit, and our result is no exception. We define non-uniform black-box 
constructions in Section [71 and then prove the following theorem (we also change the security of 
the one-way function from standard security to security s(k) in order to illustrate what results we 
can get in this case). 

Theorem 6. Let r(k), s(k), n(k) be given, and assume r (k) < 1000 ? o ( g fc ( s (fc)) 

for infinitely many 

k. Then, there is no non-uniform security parameter restricted fully black-box construction of 
a pseudorandom generator from a one-way function with security s which has the property that 
g(k,v) does at most r(k) calls to f(k, •). 

In Section [8] we study what happens with black-box constructions which are not security 
paramter restricted. To explain our results in this setting, we need a few more definitions. Suppose 
we have given an oracle construction (g, A), and fix the oracle / (i.e., the one-way function). For 
each £ we then consider the shortest call which g(£, v) makes to / for any v: 

nj(£) := mm{n(k)\3v : g^(£,v) queries f(k, •)}. (5) 

Analogously, for each £ we consider the maximal number of calls g(£, v) makes to /: 

rf{£) := m&x{r\3v : g^(£,v) makes r queries to /}. (6) 

Note that both nj and rf do in general depend on the oracle /. 
Our second main theorem is then given in the following: 
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Theorem 7. Fix a length function n(k). Let (g,A) be a fully black-box construction of a pseudo- 
random generator from a regular one-way function. Then, there is an oracle f for which 



3 Notation and Conventions 

In most of the paper, we consider one fixed security parameter k = t. Then, the input length 
n = n(k) of the one-way function and the input length m = m(k) of the pseudorandom generator 
are also fixed. 

3.1 Pseudouniform functions 

A pseudouniform function is a family g = {gk}k>o of length preserving functions gk '■ {0, l} m ( fc ) — y 
{0, l} m ( fc ) such that the output of gk is indistinguishable from a uniform string. An example is 
given by the identity function, or any one-way permutation. 



Definition 8. A function family g = {gk}k>o where gk : {0, l}' m ( fe ) — s> {0, l} m ( fc ) of poly (k) -time 
computable functions is pseudouniform if, for all algorithms A running in time poly(fc) the function 



is negligible in k. 

If we are given a family {gk}k>o which is both pseudouniform and a one-way function, then 
we can obtain a pseudorandom generator using only one call to g by the Goldreich-Levin Theorem 
[GL89j . Conversely, given a pseudorandom generator one can get a pseudouniform one-way function 
by truncating the output. 

Theorem 9. Suppose that g = {gk} is both a pseudouniform function and also a one-way function. 
Then, hk(y,z) := (g(v ), z, ®2=i v i z i) ^ s o, pseudorandom generator. 

Conversely, if g is a pseudorandom generator with m(k) bits of input, the truncation of g to the 
first m{k) bits of its output is both pseudouniform and a one-way function. 

Proof. The first part follows immediately by the fact that a distinguisher can be converted to a 
next bit predictor |BM84j and the Goldreich-Levin Theorem |GL89j . 

For the second part, let g : {0, l} m ( fc ) — y {0, i} m ( fc )+ 1 be a pseudorandom generator where we as- 
sume without loss of generality that g expands by 1 bit. If the truncation g' : {0, l} m W — y {0, l} m ( fc ) 
is not pseudouniform, there must be some distinguisher which has non-negligible advantage in dis- 
tinguishing the output from a uniform random string. Such a distringuisher immediately contradicts 
the pseudorandomness of g. 

Suppose now that g' : {0, l} m ( fc ) — y {0, l} m ( fc ) is not a one-way function. Then, there exists 
some (inverse) polynomial e(k) and some algorithm A which inverts g with probability at least e 
for infinitely many k. 

On some fixed security parameter k we now proceed as follows: first, let p be the probability 
that A finds a preimage of g' of a uniformly chosen element y € {0, l} m (i.e., the probability that 
g'(A(y)) = y for a uniform random y). This can be arbitrary small, because the distribution is 
different from the distribution induced by g'{x). Using sampling, we can find an estimate p' of p 




(7) 



Pr[A(k,g k (v)) = 1] - Pi[A(k,w)} = 1 

A,v A,w 



(8) 
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such that with probability 1 — 2~ k the estimate satisfies \p — p'\ < e/4. If p' < e/2, then we can 
distinguish the output of g from uniform by checking whether A inverts g' on the first m(k) bits. 

On the other hand, if p' > e/2 we can assume p > e/4. Now A immediately gives an inverter 
for g which inverts a random uniform bitstring of length m + 1 with probability at least e/8 (just 
ignore the last bit, invert g' , and hope the last bit matches). Finally, the probability an inverter 
for g inverts an output of g is at least twice the probability it inverts a uniform bitstring. Thus, 
we can get a distinguisher by checking whether A even finds an inverse of g, given only the first m 
bits of the result. □ 

Thus, we see that giving lower bounds on the construction of pseudorandom generators is 
equivalent to giving lower bounds on the construction of pseudouniform one-way functions. 



3.2 Normalization 

( f) 

Suppose we have a construction {g^, }k>o of a supposedly pseudouniform one-way functions, where 
A; is a security parameter. We make several assumptions on the construction which simplifies the 
proofs. First, we assume that g never calls / twice with the same input, and does exactly r calls 
to /. This is easy to achieve: one can modify g to get an equivalent oracle construction with these 
properties. Next, we enlarge the range of g, and assume that in case two queries of / give the 
same answer, then g outputs a special symbol which encodes a failure. This last restriction is not 
completely trivial, as it can break some constructions of pseudouniform functions for some choices 
of underlying one-way functions. As we will see in the proof of Theorem [5l in our case this is no 
problem (because of the way we construct the oracles fk). 

Definition 10. Let {0, l} m * := {0, l} m U {(_L, v)\v € {0,l} m }. An oracle function gW : {0, l} m -> 
{0, l} m * is r-query normalized if g(v) never queries f with the same input twice, does exactly r 
calls to f, and whenever two outputs of f agree, g^\v) = (_L,v). 

We will write g instead of gV' whenever / is clear from the context. Furthemore, we let 
g'(v, yi, ... , y r ) be the function which never calls / but instead just uses yi as the reply of / to the 
ith query. 



3.3 Notations 

Definition 11 (The Query-sets). The set Query(g, n, /) is {{x\,yi), ... , (x r ,y r )}, where Xi is the 
i-th query which g does to f in an evaluation of g^\v), and yi is the answer given by f . The set 
Query(</, v, y\, . . . ,y r )) is defined similarly (in particular, it also contains pairs (xi,yi)). The sets 
QueryX(g, v, f) and QueryY(g, v, f) contain the x and y-part of the pairs in Query (g, v, f). 

For a pair (x* ,y*), we define 

{y* if x = x* 
(9) 
f(x) otherwise. 

We use the following sets of functions / : {0, l} n — > {0, 1}". For a set y C {0, 1}" such that \y\ 
divides 2 n , J~{y) is the set of all regular surjective functions / : {0, l} n — > y. Then, V n is the set 
of all bijective functions / : {0, l} n — > {0, l} n , i.e., the permutations. We use V instead of V n when 
n is clear from the context, and write / <— V n or / <— J-{y) to pick a function uniformly from the 
respective set. 
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4 Overview of the Proofs 



We now try to provide some intuition of the proofs. We concentrate on the proof of Theorem [5j 
and only say a few words about the other theorems in the end. 

Basic setting By the discussion above, it is sufficient to consider constructions of pseudouniform 
one-way functions from one-way functions. Thus, suppose a fully black-box construction (g, A) of 
a pseudouniform one-way function is given. We fix some security parameter k, and consider g(k, •), 
which only calls f(k,-). 

Our task is to come up with a pair (Breaker,/), such that Breaker ( k, •) either inverts g or 
distinguishes the output of g from a uniform random string, and yet J 4( Brcakcr >/) w [\\ no t invert 
f(k, •) with noticeable probability. 

4.1 The case of a single call 

We first study the case where g^> does a single call to the underlying one-way function. 

Example constructions We first discuss three example constructions for gv) , which all do r = 1 
calls to /. 

The first example g : {0,1}™ — > {0, l} n is defined as g(v) = f(v), i.e., the function simply 
applies the given one-way function. Clearly, g will be one-way, so that Breaker must distinguish 
the output of g from a random function; we will call such a breaker BreakPU. In this case, our 
proof will pick / : {0, l} n — > {0, l} n as a very degenerate function (for example with image set of 
size |y| = 2 log ( n )). It is intuitive that BreakPU can distinguish the output of g from a uniform 
random string without helping to invert /. 

The second example g : {0, 1}™ — > {0, 1}" is defined as g(v) = v, so that the function simply 
outputs the input v. In this case, clearly the function is pseudouniform, therefore Breaker will 
break the one-way property of g using exhaustive search. We will call such a breaker BreakOW. 

The last example g : {0, l} 2n — > {0, l} 2n is defined as 

j(v,r) if r t^(T 
g{v,r) := < (10) 
\{f(v),r) otherwise. 

This function is pseudouniform no matter how / is defined. Thus, Breaker needs to invert g. One 
sees that it needs to be careful in that: if BreakOW(?/, n ) returns a preimage of g, clearly A will 
be able to invert. Thus, only images (y, r) with r ^ 0" should be inverted. 

Inverting constructions with one call It turns out that we can describe BreakOW (w) in 
general as follows: enumerate all possible inputs v, and evaluate g^\v) on each of them. In case 
g(/)(u) = id, BreakOW considers the output y which appeared in this evaluation as answer to the 
query done to /. It then considers the probability that w is the output in case nothing about / 
or v is known, but conditioned on y to appear in the evaluation (assuming that / is chosen as a 
permutation). If this probability is large (concretely, larger than 2 -m+n / 30 ), BreakOW refuses to 
answer. Otherwise, it returns v. 

A very quick intutition why this might not help to invert / is as follows: suppose an algorithm 
^(BreakOW,/) ^ tries to invert y. In order to do use BreakOW, A needs to find some useful w for 
this y. However, BreakOW ensures that it only inverts w which are not very likely to be outputs 
for this y, so that A is unlikely to find a matching w. Thus, we can hope that A will fail. 

We will sketch the actual proof that / remains one-way given BreakOW later. 
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Invert or distinguish constructions with one call We now distinguish two cases: if BreakOW 
inverts g for a randomly chosen / with probability (say) ^, clearly we are done. Otherwise, it must 
be that very often in random evaluations of g, once the output of / is fixed to y, certain values w 
are much more likely (if the rest, i.e., v, and /, are still chosen at random). In this case, we first 
pick y f= {0, 1}", \y\ = 2 log ( n ) as image set. We then show that there is some small set VF(3^) 
depending only on y, such that if we pick / from J-(y) and v uniformly at random, with high 
probability g^(v) € W. Thus, we can distinguish the output of g^\v) from a uniform random 
string by just checking whether it is in W, and this without even knowing the details of / (namely, 
we can still pick / : {0, l} n — > y uniformly at random). 

The reason that g^\v) € VF(3^) is likely should be intuitive: we know that conditioning on 
some fixed y highly biases the output w, and because there are only few y € y, the output should 
still be biased overall. 

The underlying one-way function remains one-way We still need to argue that BreakOW 
does not help to invert a random permutation /. For this, suppose ^4( BreakOW '/)(y ) tries to invert 
Uo = f( x o)- Pick a random x* and consider the function /* = f( x *. yo ), as defined in Section [3T31 
Also, let BreakOW* be defined as Breaker, except that it uses /* instead of / when it evaluates g 
in the exhaustive search. 

Intuitively, if ^(BreakOW,/) ( yo ) ig likely tQ return XQj t hen A( BrcakOW *^*)(y ) must be at least 
somewhat likely to return x* , because x* has the same distribution as xq from ^4's point of view 
(the same argument was previously used in |HH09| , and in a more convoluted way in |Sim98j ) . This 
means that the two runs of A have to differ in some call with noticeable probability. It is unlikely 
that they differ in a call to /, since x* was picked at random and A makes few calls to /. Thus, 
they have to differ in some call to BreakOW with noticeable probability. 

However, it turns out that BreakOW* (w) ^ BreakOW(it;) for any w with very low probability: 
it only happens in two cases. First, if x* is the query which (BreakOW (w)) makes to /, but 
there is only one such query, so this happens with probability 2~ n (over the choice of x*). 

The other case is if there is some v for which the output of g^ (v) changes to w when we replace 
/ with /*. 

Now, recall the check BreakOW performs before it outputs v. This check is equivalent to the 
following: enumerate all pairs (v',y'), and count the number for which g(v') = w in case / answers 
the only query with y' . If this number is larger than 2"/ 30 , refuse to return v. 

This now implies that there can only be 2 n / 30 values for x* for which the output changes to w, 
and so this case is unlikely as well. 

4.2 Multiple calls 

The case when g can make more than 1 call is significantly more difficult than the case where g 
makes a single call. It turns out that most of the issues which arise can be discussed already for 
r = 2 calls, so we restrict the discussion to this case in this section. 

Construction with many calls Of course, the same examples as before still work. Thus, 
BreakOW(tt') still does the same check before returning v: does conditioning on one of the two 
query answers y± and yi given by / in the evaluation of f(v) make w much more likely? If so, it 
refuses to answer. 

However, it turns out that we can restrict BreakOW(u>) even more: it should also not return a 
preimage v if conditioning on having seen both outputs y\ and yi in an evaluation makes the output 
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w more likely. As it turns out, we only know how to prove that BreakOW does not help invert / 
with this additional restriction. 

A useful example might be the construction, which takes as input a v = (x\,x 2 ) of length 2n, 
and is defined as 

(/), s j(f(xi),f(x 2 )) if/(xi) = /(x 2 )©(l,...,l) 

g ul (x 1 ,x 2 ) = < (11) 
I (%i , x 2 ) otherwise. 

This will be a pseudouniform function, because usually f(x±) ^ f{x 2 ) © (1, ... , 1). Also, we see 
that an adversary A which tries to use BreakOW to invert y would presumably call BreakOW on 
input (y,y © (1, . . . , 1)). However, using the additional restriction above, BreakOW will definitely 
not return the inverse A is looking for. 

We make two additional remarks: It turns out that if BreakOW inverts g(v) with low probability, 
we can choose y C {0, l} n as small as 2®( n / r ), and conditioned on / being from J-(y), the output 
of g is very biased. Since y is super polynomial only as long as r € o(n/ log(n)), we see that / stops 
being a one-way function once r ^ o(n/log(n)). 

Second, there is a question on whether above one should condition on y\ being the first output, 
and y 2 being the second output, or just on both y\ and y 2 appearing as an output. We choose the 
latter, as it seems more natural in the concentration bound explained below. It seems we can be 
relatively careless with this, because r r <2™. 

The underlying one-way function still remains one-way Again, we need to argue why 
BreakOW does not help to invert /. As before, we can show that we only need to prove that with 
high probability over the choice of x* we have BreakOW* (w) = BreakOW(w). Previously, this 
followed by a simple counting argument. Now, it becomes more difficult. 
To see why, consider 

'0 2n ifxi=x 2 = l n 

g^\xi,x 2 ) = < l 2n otherwise, if also x\ = f{x\) and x 2 / f(x 2 ) (12) 

(x±,x 2 ) otherwise 

One can check that neither conditioning on a value of y±, y 2 , or on a pair (yi,y 2 ) makes some 
output w of g much more likely. Therefore, BreakOW(u>) will simply return some preimage found. 

Suppose now that / was picked in a very unlikely way: f(x) = x for any x. Then, BreakOW(l 2n ) 
will return _L, signifying that no preimage was found. On the other hand, for any x* and any /* 
as above, BreakOW*(l 2n ) will return (x±,x*) for some x\. Thus, for some functions /, BreakOW* 
can behave very differently from BreakOW. 

It is, however, possible to show that functions / for which this happens are very unlikely. In 
case r = 2, a usual Chernoff bound is sufficient for that. For r larger than 2, a concentration 
bound for polynomials in the style as proven by [KV00] seems to be needed. We will use a bound 
from [Holllj . and show in Section [6] how it can be used to show that for almost all functions /, 
BreakOW / (w) ^ BreakOW 7 * (w) has very low probability (over the choice of x*). 

It turns out that this concentration bound breaks down if r € £l{n/ log(n)). 

4.3 Non-uniform security reductions 

The above considerations prove Theorem [5j which exclude constructions with uniform security 
proofs. The technique given in |GGKT05] allows to give security proofs which also hold against non- 
uniform security proofs, and we can apply this technique in our context. We apply this technique 
in Section [TJ giving Theorem El 



10 



4.4 On the security parameter restriction 

Given our techniques, one might suspect that the restriction on the security parameter is inherent 
to them. However, as we show in Section [8j this is not the case. Our proof will only break the 
resulting pseudouniform one-way function only for infinitely many security parameters k, instead 
of for all but finitely many k as one might hope. 

This last restriction is inherent, at least as long as one only uses underlying regular one-way 
functions. The reason is that constructions exist which do fewer than ra/log(ra) calls, and yield a 
pseudorandom generator for infinitely many security parameters. 

In order to get rid of the restriction, we use the following idea: We consecutively find infinitely 
many values t for which g(£, •) does fewer than j^^y queries, where n is the shortest input length 
which g queries on security parameter £. After this, we simultaneously fix f(k, •) for all k which 
g can access. The idea is that underlying to f(k,-), there could be a single one-way function for 
many different values of k. Thus, we can reduce our task to the problem solved in the previous 
sections. 

Of course some technical problems arise. These are dealt with in Section [8j 

5 The Breaker Oracles 

We will give two oracles, each of which breaks one of the two security properties of g. The first 
oracle inverts g with noticeable probability, and the second oracle distinguishes the output of g 
from a uniform random string. For each security parameter k we will then set Breaker^, to be one 
of these two oracles, depending on the combinatorial structure of g^. 

5.1 The inverting oracle 

The first oracle is called BreakOW. It inverts g in some cases, and is given as algorithm below, 
but we first explain it informally. On input w £ {0, l} m , BreakOW(w) first enumerates all possible 
inputs v € {0, l} m of g in lexicographic order. For each of them it checks whether g^\v) = w. 
If so, it checks whether returning v could help some algorithm A to invert /. For this, it calls 
the procedure SafeToAnswer. Roughly speaking, SafeToAnswer will return false in case this fixed 
w correlates strongly with some outputs y £ {0, 1}" of / which occured during the evaluation of 
g(fl (v). More exactly, SafeToAnswer enumerates all possible subsets B of the answers / gave in the 
evaluation of g^\v). It then computes the probability that an evaluation outputs w, conditioned 
on the event that the evaluation produces all outputs in B. If this probability is much larger than 
2 _m , SafeToAnswer will return false. 



Algorithm BreakOW^ (w) 

procedure SafeToAnswer (w, Q): //SafeToAnswer does not depend on / 

for all BCQ: 

if Pr [g (f) {v') = w\B C QueryY(#, v', /')] > 2~ m+ £> 

f'<r-V,v' 

return false 
return true 
done 

for all v £ {0, l} m do 
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if g(f\v) = w then 

if SafeToAnswer(u;, QueryY(g, v , /)) then 
return v 

return _L 



We next define the quantity p(g). This is the probability that BreakOW inverts g(v) by return- 
ing v (actually, not quite: BreakOW might return a different preimage of g(v) before it enumerates 
v - in any case, the probability that BreakOW inverts g is at least p(g)). 

p(g) := Pr [SafeToAnswer^fv), QueryY( 5 , /, v))] (13) 

1><-{0,l} m 

It is easy to see that in case p(g) > ^, then BreakOW^ will invert g(y) with noticeable 
probability. 

Lemma 12. Let : {0, l} m —¥ {0, l} m * be a normalized oracle construction. If p(g) > \, then 

Pr [BreakOW(# (/) («))) inverts g if) ] > -. (14) 
f*—V,v 2 

Proof. Pick u and / at random and call BreakOW (w) for w = g^ (v). When BreakOW enumerates 
all possible values v, at one point it will pick the actual chosen value v unless it has returned 
a preimage of w before. With probability at least ^, SafeToAnswer(u;, Q) returns true where 
Q = Query Y(g, v, /), in which case BreakOW(u') will return some inverse of w. □ 

Our next goal is a more interesting claim: BreakOW is unlikely to help inverting /, when is 
uniformly drawn from V . For this, we introduce the following definition (which is motivated by the 
soon to follow Lemma [T5l). 



Definition 13. Let /) : {0, l} m -»■ {0, l} m * be an r-query normalized oracle construction. For 
f : {0, l} n -> {0, l} n , y* G {0, 1}"\ and w G {0, l} m , the set Qf :V *, w contains all pairs (x*,v*) with 
the following properties: 

(a) gU"*(v*) = w 

(b) x* G QueryX(g,v* , /*), i.e., g^*\v*) queries x* 

(c) SafeToAnswer(u>, QueryY(<7, v*, /*)), 
where f* = f( x * >y »)- 

We will prove the next lemma in Section [6] (some intuition on why this is true can be found in 
Section f6.ip . It states that with very high probability over the choice of /, the set Qfy*, w is small. 

Lemma 14. Let : {0, l} m -> {0, l} m * be an r-query normalized oracle construction, r < 
iooiog(n) - For aU ( W 'V*) we have 

n 

Pr p [fe,,|>2i 5 ]<r 2 «. (15) 

Fix now some permutation /, some y* € {0, l} n and some w G {0, l} m . Compare runs of 
BreakOW^- 1 (w) and 3re&kOW^ (x *- y *^ (w) for a random element x* G {0, l} n . The next lemma 
shows that the result of these two runs is equal with high probability in case \Qf. y * jW \ is small. 
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Lemma 15. Fix f, y* , w. If \Qf, y * jW \ — 2io, then 

Pr[BreakOW (/) H + BreakOW (r) H] < (16) 

X* 

where f* = f( x * tV *). 

Proof. Let v be the result of BreakOW^ and v* the result of BreakOW^ \w). We distinguish 
two cases. 

First, suppose that v * = _L or that v* occurs in the enumeration of BreakOW after v. This can 
only happen if x* £ QueryX(g, v, /), because if not, BreakOW^ \w) will behave exactly the same 
in the iteration of v, and so it must also return v. 

Second, suppose that v = _L or that v occurs in the enumeration of BreakOW after v*. We 
claim that in this case (x*,v*) € Qf, y *,w Clearly, conditions (a) and (c) in Definition 1131 must hold, 
as otherwise BreakOW^ \w) will not output v*. Condition (b) must also hold. Otherwise we have 
that (because of (a) and the fact that x* has not been queried) and QueryY(g, v * , f) = 

QueryY(<7, v*, /*). This would imply that SafeToAnswer(u;, QueryY(g, «*,/)) = SafeToAnswer(u;, QueryY(g, v* , f* 
and so we see that if (b) would not hold, BreakOW ^' (w) = v* . 

Since the union of the sets QueryX(g, v, f) and Qf yV * )W has fewer than 2 s elements the result 
follows. □ 

Now we can show that BreakOW usually does not help to invert /. 

Lemma 16. Let gU : {0, l} m -> {0, l} m * be an r- query normalized oracle construction, r < 
ioo iog(2n+m) 1 J 4^' BreakOW be an arbitrary algorithm making at most 2 20 queries to f and to 
BreakOW. Then, the probability that A inverts f(x) is at most 

Pr \A f ' BTeakOW (f(x)) inverts f] < 2~& . (17) 

Proof. First, because / is picked from the set of permutations V, we see that 

Pr lA( B * eakOW 'f\f(x)) inverts f(x)]= Pr [A( BrcakOW ^(/(x)) = x] (18) 
x,f<^V,A %,f<- V,A 

Fix now an arbitrary function /. In case / is such that for all pairs (w, y*) the bound \Qf iWy * | < 2 10 
holds, we get for any x and any fixed randomness of A 

Pr M(BreaK)W,/) (/(a;)) ^(BreakOW*,/*) < gftg-^p < 2 _» 

x* 

where /* = /( x *,/(*)), BreakOW = BreakOW (/) , and BreakOW* = BreakOW^*). This holds 
because any of the 220 calls to either oracle will return the same answer with probability 2~~ 
(using Lemma [15] for calls to BreakOW, for calls to / this is obvious). 
We can also pick x and / at random, then we get 

p r j^BrcakOW,/)^)) ^ ^(BreakOW*,/*) (y^))] 

<Pv[3(w,y*) : \Q f>VJ , y *\ > 2&] + 2"W 

< 2 m +"- 2 ™ F + 2~3B < 2-2T5+ 1 , (20) 

where we applied Lemma [TH 
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Still fixing the randomness of A, we see that 

Pr[^ BreakOW >-f)(/(x)) = x]< Pr [A( BreakOW *^*)(/(x)) =x]+ 2~%> +1 (21) 

= Pr [^( BreakOW *' r )(/(x)) = x*} + 2-M+ 1 (22) 

f,x*,x 

< Pr [^ BreakOW '%(x)) = x*} + 2"^+ 2 (23) 

f,x*,x 

= 2" n + 2"2o+ 2 < 2"3o , (24) 

where we get (|2"2"j) because the triples (/*, f(x),x) and (/* , f(x),x*) have exactly the same distri- 
bution. We used $M) to get (HH) and ([23]). 

Since this holds for each random choice A can make, it must also hold overall. □ 



5.2 The distinguishing oracle 

Oracle BreakOW described above works well in case p(g) > \. Therefore, we now concentrate 
on the case p(g) < \. In this case, there are elements 2/1, ... such that conditioned on those 
occuring as outputs of /, some elements w are much more likely than others (in fact, on a random 
evaluation we have probability at least \ that a subset of the y's produced satisfies this). Thus, it 
is not too far fetched to hope that if / is a function / : {0, l} n — > y for some set y C {0, l} n which 
is small, then often g^(v) will be one of few possible values. Formally, we can prove the following 
lemma. 

Lemma 17. Let gU : {0, l} m ->■ {0, l} m * be an r- query normalized oracle construction with 

p(g) < \, loSoF e N - There exists y £ i°' 1 i n °/ si2e 1^1 = 2TI ^ and a setW C {0, l} m o/ size 
\W\< 2 m_ w sucft iftai 

Pr \g (f) (v) E W] > r 2 2~TH)? (25) 

D<-{0,l} m 

Proof. We pick C {0, l} n of size 2ioo? uniformly at random, and then set 

3Q C y : |Q| = r A -. S af eTo Answer (w, Q)} . (26) 

We start by showing that \W\ < 2 m ~w. There are fewer than (|l"|) r = 2iBo subsets Q C 3^ 
of size |Q| = r, and for each of them, SafeToAnswer considers 2 r < 2Too subsets B. For each i?, 
there can be at most 2 m ~3o elements w which have probability at least 2~ m+ 3o conditioned on 
B C QueryY(g, v, /'). Thus, in total there can be at most 2 rn ~ 30+T00+T00 < 2' m ~Too elements in W. 
To see (f25|) . we note first that 

Pr b (/) (u)e ^]= Pr (27) 

y,f<—j r (y) y,vi- {o,i} m 

»<-{0,i}*n (yi,-,yr)<-(P(.r,y)) 

where the distribution P(r,y) over y r is the distribution of (f(xo),...,f(x r -i)) for some fixed 
pairwise disjoint values xo, • • • , x r —i and / ^— •F(iy). It has the following two properties. First, the 

2 

probability that P(r,y) gives r pairwise disjoint outputs is at least 1 — ^ (by a union bound). 
Second, all tuples (t/i, . . . , y r ) in which the elements are pairwise disjoint have the same probability 
when the probability is also over the choice of y. 




14 



Thus, 

v F? )nm [9'(v, yi ,...,yr)£W] (28) 

y,v<r- {0,l} m 

( yi ,...,y r )^(P(r,y)) 

- [I{w,-,!fr}|=r]x (29) 

(vi.-.i/TO-f-c-pfoy)) 

Pr [^(«,yi s ...,l/r)eW||{yi,...,y r }|=r] (30) 

J/,u^— {0,l} m L 1 - 1 

(y 1 ,...,y r )^(P(r,y)) 

~ yJiln- 0{w,-,tfr}|=r]x (31) 

CHiv,H7-)<-(-P(r,y)) 

Pr [</(i>, 2/1, ... , j/ r ) 6 W] , (32) 

where in this last probability the values yi,---,y r are picked uniformly without repetition. Next, 
we see that 

Pr y(v,yx,...,y r )€W] (33) 

(Sir-*) 

> Pr hSafeToAnswer(5'(^yi,...,y r ),{yi,...,y r })] (34) 

[Vl,—,Vr) 

= l-p(g) (35) 

because without repetition the yi have exactly the same distribution as in the definition of p(g). In 
total, 

2 

yJ ll m i9 if) (v) eW]>(l- L^(l-p(g)) . (36) 

□ 

Let now BreakPU(W) be the oracle which on input w returns 1 if and only if w £ W . The next 
lemma states that BreakPU(VF) does not help significantly in inverting /. This is intuitive, since it 
does not even depend on / (besides the choice of y). Furthermore, this lemma also follows directly 
from |GGKT05"1 Theorem 1]. To see this, note that we can pick / as follows: first pick any regular 
function p : {0, l} n — > y and then set / = it o p for some permutation ir; by |GGKT05| Theorem 
1], / is 2'^' (1 J> -hard to invert even given p. We provide a proof anyhow for completeness. 

Lemma 18. Let A be an arbitrary oracle algorithm making at most 21000^ queries, \y\ = 2Too? ; 
T0S0F e N. Then, 

Pr [A f ' BieakPlJ (f(x)) inverts f] < 2 _ TcSBF , (37) 

where BreakPU = BreakPU(M^) for an arbitrary set W . 

The proof is similar to the proof of Lemma [TBI 
Proof. We first note that 

Pr [^' BrcakPU (/(x)) inverts f(x)] = ^- Pr [A- f > BrcakFV (f(x)) = x] (38) 

f*-FQ>) \y\ f*-Hv) 

x,A 1 1 x,A 
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because for any fixed f(x), the value of x is still uniform among the jyj preimages. 

11 

Now, fix any x and any /, and let q = 2Tooof be the upper bound on the number of queries by 
A. Keeping the randomness of A fixed, 

p r[A /,BrcakPU (/(x)) + A f* ,B r cakPU (/(x))] < ± (3g) 
x* Z 

where /* = fr x * fr x y\, because the output of A^*' BreakPU (/(x)) can only differ from A^ BreakPU (/(a;)) 
in case x* is one of the elements on which A queried /. 
As in the proof of Lemma [TBI 



f Pr {y) [^ BrcakPU (/(x)) =x]< f Pr y) [^*< BrcakPU (/(z)) = x) + £ (40) 

= Pr [A/*' BrcakPU (/(x))=x*] + A<^i±l. (41) 



Together, 



^ P^^^/M) mverts < ™ = * + I . (42) 



□ 

5.3 Proving the main result 

The above lemmas can be used to prove Theorem which we restate here for reference. 

Theorem 5. Let n(k),r(k) £ poly(fc) be computable in time poly(A;), and assume that r(k) £ 
°( log(n(fc)) )' There exists no security parameter restricted fully black-box construction of a pseudo- 
random generator from a one-way function which has the property that g(k, v) does at most r{k) 
calls to f(k, •). 

Proof. In order to get a contradiction, we assume otherwise. Because of Theorem [9J we can also 
assume that we have a fully black-box reduction which gives a pseudouniform one-way function 
(which is defined in a way analogous to Definition [3]) . 

Thus, suppose we have some construction (g,A). We we want to instantiate the construction 
with length preserving one-way functions, where the input and output length equals the security 
parameter k, i.e., n(k) := n'(k) := k. The construction must work for this choice by definition. 

We can assume that 10 qq^^ £ N for all but finitely many k, because we can increase r(k) such 

that this holds and such that still r(k) € °( iog(T^fc)) )• 

We now make sure that our construction is normalized. For this, we modify g such that it 
makes exactly r(k) pairwise disjoint queries to /; clearly, this is no problem. 

We then define 

(f \ I (J-) v ) if two queries of /fc yield the same output 

g (Ik, (v) ■■= < {h) . (43) 

1 9k \ v ) otherwise. 

Next, we will provide, for each k seperately, two oracles / and B = Breaker. We construct 
these oracles such that B breaks the security property of g^ for all but finitely many k, and yet the 
probability that J 4 Breaker >/ inverts / is negligible. 
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For this, we consider p(g k ) for each k seperately. If p(g k ) > \ we set Breaker^ to be BreakOW. 
By Lemma [T2] we see that for these k 

Pr [Breaker fc (^ /fc) (7;))) inverts g[ fk) ] > -. (44) 

By Lemma [16] we also see that, if k is large enough, 

Pr {A fk ' Brcakcr *(f k (x)) inverts f k ] < 2"^ . (45) 

Note that in this case, ^ behaves the same as because no two queries to can output the 
same value. Applying Markov's inequality, for fraction at least jq of the functions f k we have 

Pr[Breaker fc (c^ /fc) («))) inverts ^ /fe) ] > — (46) 

Furthermore, for fraction at least ^ of the functions f k we have 

n(fc) 



p r [A/«=- Breater *(/ fc (x)) inverts < 100 • 2" "ST . (47) 

We pick a function for which both (|46p and f|47|) are satisfied. 

If P(dk) < 5) Lemma [T71 gives a set C {0, l} m ( fc ) and 34 C {0, l} n ( fc ). For n large enough, A 
satisfies the requirements of Lemma [TE[ and we see that 

Pr [^ Bre ^ PU ( w *)>^ (/*.(:£)) inverts f k (x)] < 2~ToW, (48) 

fk^W 

A,^{0,l} n ( fe ) 

which is negligible. By Lemma [T71 

Pr [g[ fk \v) € W k ] > i, (49) 

again for is large enough. Because 3^ is of superpolynomial size, the probability that g k outputs 
(_L,u) is still negligible. Thus, we can argue as before, and there is some choice of f k for which 

Pr [^ Brcakcrfe ' /fe (/fc(^)) inverts f k (x)] < 2~tw , and (50) 

A,x^{0,l}™( fc ) 

Pr JgV*\ v )e Wk ]>±-. (51) 

v<-{0,l} m ( k ) ID 

We fix such a choice of for f k and set Breaker^ := BreakPU(VFfc). 

We conclude that while the statement analogous to ([3]) holds (for breaking the either the pseu- 
douniformity or for inverting g), the statement @ fails to hold, and so we get a contradiction. □ 



6 Proof of Lemma [141 

In this section, we give the proof of Lemma UM However, before giving the proof, we provide some 
intuition in Section 16.11 (which can be skipped if desired) . 
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6.1 Intuition 



Fix (/, y*,w), and assume that (x*, v*) € Qf,y* lW - Consider the query-answer pairs {(21, yi), . . . , (x r , 
Query(<7, v* , f( x *,y*)) which occur in an evaluation of g(f( x *>y*)^(v*). The pair (x*,y*) must be in 
this set, as otherwise conditions (a) or (b) of Definition [13] would not hold, and to simplify the 
discussion we make the (unrealistic) assumption that always (x*,y*) = (x r ,y r ). Now consider the 
set T = {(xi,yi), . . . , (x r -i,y r -i)}. Let us call T an incrementor for \Qf,y*,w\-> because whenever 
/ satisfies f(xi) = yi for i £ {1, . . . , r — 1}, the set Qf :V * lW grows by l[j 

Now, still fixing (f,y*,w), the total number of such "incrementors" for \Qf,y*, w \ is a t most 
2( r-1 ) n+ 3o . To see this, we argue that otherwise, (for y r being the answer of the r-th query in the 
evaluation) 

Pr \/{v') = w\y r = y*} >2~ m +$> , (52) 
/'«— V,v' 

because any of the incrementors survival the picking of / with probability roug hlj02-( r - 1 ) n . Thus, 
if there are 2^ r_1 ^ n+ 3o incrementors, in expectation 25o will survive the picking of /, and if we pick 
onj^l of the 230 values v* which survived we get an element for which gf («') = w (conditioning on 
Vr = y*)- Now, ([52]) roughly contradicts SafeToAnswer(w, Q) for B = {y*} (up to some issues due 
to our simplifying assumption that (x*,y*) is always (x r ,y r ), but since r r < 2 n they do not matter 
much) . 

Thus, there are at most 2 ( - r_1 ^ n+ 3o incrementors for \Qf t y* tW \, and so in expectation \Qf jWt y*\ < 
25o. However, we need to prove that the \Qf )W>y *\ is small with (very) high probability, and not 
in expectation. Luckily for us, Kim and Vu [KV00] proved a concentration bound which can be 
applied in our setting - translated to our setting, they show that concentration does hold if several 
conditions are given. First, it needs to hold that all probabilities checked in SafeToAnswer are 
smaller than 2~ m+ 3o (which is, besides Lemma [T71 the reason that SafeToAnswer is defined in the 
way it is defined). Second, they roughly require that r r < 2 n , which holds in our case, because 
we assume that r ^ 0( lo J|: A Finally, they require that the events f(x±) = y± and f{x2) = 2/2 
are independent — which of course is a problem, because this does not hold in our case. Luckily, it 
turns out that this last requirement can be relaxed somewhat using a proof technique implicit in 
[SSS95] (see |Rao081 IlKlOj ). A proof of a Kim-Vu style concentration bound in this form was given 
by the first author in [Holl 1] . 



6.2 The polynomial P w>y * 

To prove Lemma [Lil wg will first find ci polynomial Pyj^y* of degree r in variables F( x>y j for all 
x, y G {0, l} n . The polynomial will have the following property: fix an arbitrary function / : 
{0, l} n — > {0, 1}, and set the variables F( Xiy \ as follows: 

F x ={ 1 iif ^ = y (53) 
1 otherwise. 

We will see that the value of P w ,y* for these values (evaluated over R or N) gives an upper bound 
on \Qf )V * )W \- We denote this value by P w ,y*{f)- 



7 Ignoring a few reasons why this might not be true sometimes. . . like the fact that SafeToAnswer might return 
false. 

8 Formally, surviving means that f(xi) = yi for all pairs (xi,yi) in the incrementor. 

9 Ignoring very slight dependence in this discussion which arises from the fact that / is picked as a permutation. 
10 Only one incrementor with a fixed v* can survive with our assumptions. 
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The polynomial P w ,y* is obtained by a run of algorithm BuildPolynomial (ui, y*). 



Algorithm BuildPolynomial (if, y*) 

p » — n 

1 w,y* • — u 

forall (yi,...,y r ) € ({0, 1}T do 

if SafeToAnswer(tt;, {yi, . . . , y r }) then 
forall v e {0, l} m do 

if 9 r {v,yi, . . . ,y r ) = w A y* € {y x , ...,y r } then 

T := {(xi, i/i):ie{l,...,r} and / and . . . 

Xj is the ith query done by g'(v,yi, . . . , y r )} 

Pw,y* '■= Pw,y* + Y\_ F( x ,y) 
{x,y)&T 

return P Wt y* 

For readers who did not skip the intuition, we can connect this with Section 16.11 The term 
ll(x y) F(x,y) corresponds to an incrementor, and we note that if the incrementor survives the picking, 
the summand in the polynomial will evaluate to 1. 

Lemma 19. For any f, w, y* we have \Qf,w,y*\ — Pw,y*(f)- 

Proof. Pick / at first, and then consider a run of BuildPolynomial. We show that for each pair 
(x*,v*) € Qf. Wj y* the procedure BuildPolynomial (u;, y*) adds a monomial to P w ,y* which evaluates 
to 1 under /. 

Fix now a pair (x*,v*) € Qf, w ,y*, and let (x±,yi), . . . , (x r , y r ) be the pairs of queries and answers 
made to f( x *,y*) m an evaluation of g^(- x * -y">\v*). It must be that because of con- 

dition (b) in Definition [T3l and so (x* ,y*) E {(xi, y±), . . . , (x r , y r )}. SafeToAnswer(w, {y\, . . . , y r }) 
must also hold (as otherwise (x*,v*) ^ Qf, w ,y*)- Thus, when BuildPolynomial enumerates the 
values (yi,... ,y r ) and v* , it adds Yl( x y)eT ^(x.y) to P w ,y*, which is 1 for the assignment given by 
/ to the variables (note that T does not contain (x*,y*)). □ 



6.3 Derivatives of P w , y * 

Let now B C {Fr xy \} be a subset of the random variables F( x ^ y y For any multilinear polynomial 
P in the variables {F^ x ^} we let 8bP be the formal derivative of P with respect to the variables 
in B. For example, d{F llA) f lai3) }(F(i,i)Fp,2)F(a,3) + F {hl) F {3:3) F {4A) ) = F {3>3) .) 

Let T* be the distribution over the variables F^ x ^ in which each F^ x ^ is 1 with probability 
and otherwise, and all variables are independent. When we pick the variables according to this 
distribution, they usually cannot have been derived from a function / as in (153p . Nevertheless, this 
distribution is useful to express combinatorial properties of our polynomials. We denote the value 
of the polynomial evaluated at such a point F by P W) y*{F). 

Lemma 20. For any B C ({0, l} n ) 2 and any (w,y*): 

E [(d B P Wjy *)(F)] <2i. (54) 

r i — J~ 

Proof. Suppose otherwise, and fix a triple (B,w,y*) for which (I54j) fails to hold. We will derive a 
contradiction. 

The polynomial dsPw.y* is the sum of all monomials in P w , y * which contain the factor Y\^ x y ^ eB F^ x ^ , 
but with this factor removed. Each such summand contributes 2~ n ( r_1 ~l- B D to the expectation 
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in (|54p . and so there are at least 2 3o +n ( r ~ 1_ l- B D monomials containing a factor Ilfs; t/JeB^.y) ^ n 
P w ,y*- This implies that there are at least that many monomials containing a factor of the form 
H(x,y)eB F {*,y)i where is an arbitrary variable i^x'y) with y' = y. 

The following algorithm adds 2~ n ( r ~ 1 ~l- B D to a counter for each such monomial in P w y* . There- 
fore, it outputs at least 2 30 . 



Algorithm UpperBound(l?, w, y* 



B> := {y*}U{y: (x,y) £ B} 
forall (yi,...,y r ) € ({0, do 
if B' C {yi,...,y r } then 

if SafeToAnswer(u), . . . , y r }) then 
forall u G {0, l} m do 

if g'(v,yi, ...,y r )=w then 

E B ,«U/. -=EB,w,y* +2-™(^l B 'l) 

return EB yW ,y* 



Consider now an arbitrary . . . ,y r ) for which Es^ W) y* gets increased in this algorithm. We 
want to show that -iSafeToAnswer(u;, {y±, . . . ,y r }), i.e., we want to show that 

Pr [ 5 (/ 'V) = MB" C QueryY( 5 , t/, /')] > 2~ m+ ^ (55) 

for some B" C . . . , y r }. Of course, it suffices to show this for B" = B' . 
To see that (I55p holds for 5" = B' we compute 

Pr (V) = C QueryY(#, 1/, /')] (56) 



Pr^yb (/,) K) = ™ A B> C QueryY(g, i/, /')] 
Pr^y [5' CQueryYfo, «',/')] 

PV,yi ^tg'^^b • • • ; Vr) = W A B' C {g/!,. . . , j/ r }] 

Pr 2/1 ,... i2/r [ J B'C{y 1 ,...,y r }] 



(57) 
(58) 



2(r-|-B'|)n+|g ; 2-m-rn 

- ( | ^, | )(| J B'|!)2-(I B 'D(^ 1 ) (59) 



2 H 



t) -m-\B'\n+% a 

> f 30 = 2 -m + i-Ho gW -, > 2 - m+ - (6Q) 

— 2 rl °g( r )2 — I- 8 l( n_1 ) — 

where in (|58p and afterwards, y±, . . . ,y r are picked uniformly from {0, l} n , but without repetition. 
The numerator in (|59p can then be seen as follows: first, note that the probability only decreases 
if one picks the j/j with repetition, but additionally requires them to be different for the event to 
occur. After that, one notices that there must be at least 2^'~^ B D n+ 3o tuples (v,yi, . . . , y r ) for which 
E>B,w,y* gets increased in the algorithm UpperBound. The denominator follows by noting that we 
can first choose how to make the assignment of the values in B' to the elements (y±, . . . ,y r ) (there 
are (|b'|) (l-^'IO possibilities for this), and then checking whether this assignment occurs, which 
happens with probability at most 2 _ l- B 'K n_1 ). Thus, we get that -iSafeToAnswer(u;, {yi, . . . , y r }) 
must hold for any tuple where EB )W ,y* is increased, which is the required contradiction. □ 
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6.4 Kim-Vu style concentration 

In a fundamental paper [KVOOj . Kim and Vu consider low degree polynomials P in variables 
xi, . . . ,X£, and show that if dsP can be bounded (as in Lemma [20]) . then P will be concentrated 
around its expectation, assuming the variables X{ are picked independently at random. 

Because in our case the variables are not picked independently, we need to use a different bound 
(other than that, the original Kim-Vu bound would be strong enough for our purpose). The bound 
we use requires the following concept of almost independence. 

Definition 21. A distribution P x over {0, 1}^ is (6, m)-almost independent if for all sets M of size 
\M\ < m and any j £ M 

Pr [ Xj = l|Vt € M : x { = 1] < Pr [ Xj = 1](1 + 5) (61) 

X4—P x 35<— Pre 

We use the following bound, which is proven in [Holllj . It uses a technique first used implicitly 
by [SSS95] and which was later used in |Rao08j to prove concentration bounds for parallel repetition, 
and by |IK10j to prove constructive concentration results. 

For a polynomial P in variables Xj, and a distribution over these variables, we let P* be 
the distribution obtained by picking each Xj independently of the others, but with the marginal 
distribution given by P^. We then set fi* = E [P(a;)] and E* = max E [8bP(x)]. 

x^-P x 0C_BC{xi,...,a^} 2<-Pj 

Theorem 22. Let P x be an (5, rm) -almost independent distribution over {0,1}^. Let P(x) be a 
polynomial of degree at most r in the variables Xi, i.e., P(x) = Y^=i v i w ^ v j = Ylieej v j> where 
\ej\ < r. 
Then, 



Pr 



P(x) >^(1 + e)\ < ^ + £ ) • (62) 



Using this bound, we can now prove Lemma [TU 

Proof ( of Lemma \14\ )- We use Theorem[22]on the polynomial P w ,y* , where we set 5 = 1, e = 2wo / /j,* 
and m = 2 ioor . We note first that indeed the random variables F(ij) are (5, rm)-independent: 
conditioning on F( x ,y) = 1 is the same as conditioning on f(x) = y, and so we can see that one 
needs to condition on at least 2 n ~ 1 such events in order to double the probability that F( x ,y) = 1 
for any (x, y). 

Thus, Theorem [22] yields: 

9n ,T max(2, l£™^L \ 2 n/ioor 
Pi -\P w , y * (/) > H* + 2100] < ( L_i L\ (63) 

f<-V V 2TUU / 

/2-2 r a* 2-2 r r r 2TkE*\2 n/100r , . 

<max gj— , ^ (64) 

V 2Too 2Too ' 

< (kr /100r , (65) 

where we applied Lemma [20l to bound both \x* and E* in the last step. An application of Lemma [T9l 
finishes the proof. □ 
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7 Non-uniform reductions and superpolynomial security 



Theorem [5] excludes the existence of a uniform black-box reduction constructing a pseudorandom 
generator from a one-way function with few calls. Potentially, one way to overcome this lower bound 
would be to give a non-uniform security reduction, in which case the result would be weaker, but 
still very interesting. Such non-uniform construction can be excluded by the techniques given in 
[GGKT05] . and we apply their technique here to prove that our lower bound applies to non-uniform 
constructions as well. 

Furthermore, we also generalize our results to one-way functions with different security. 

Definition 23. A non-uniform fully black-box construction of a pseudorandom generator from 
a regular one-way function with security s(k) consists of two oracle algorithms (g,A). The con- 
struction is a polynomial time oracle algorithm which provides, for each k, a function g k : 
{0, l} m ( fe ) — > {0, l} m '( fc ) with m'(k) > m(k). For this, g k may call fk as an oracle, and m(k),m'(k) 
may depend on n(k) and n'{k). 

Further, the security reduction A^'''\k,-,-) is an oracle algorithm which does at most s(k) 
queries, and has the property that for any regular function f and any oracle B for which 

Pr[B(k,g k (v)) = 1] - Pr[B(k,w) = 1] > (66) 

v,B w,B 1UU 

for infinitely many k, there is h k £ {0, l} s ( fc ) such that 

Pr[A^\k, h k , f k (x)) inverts f k ] > -L (67) 
x,A s{k) 

for infinitely many k. 

Similar to before, A(k, •, •) only calls the oracles f(k, •) and B(k, ■). 

In an actual reduction, one would of course excpect that it works given a much weaker condition 
than (|66p . In particular, a reasonable reduction will invert / with some probability if the constant 

is replaced by any polynomial. Excluding constructions which even adhere to Definition [23] is 
of course then stronger. 

7.1 BreakOW does not non-uniformly invert 

We first show that no non-uniform oracle algorithm with access to BreakOW inverts a random 
permutation /. 

Lemma 24. Let gU : {0, l} m -> {0, l} m * be an r- query normalized oracle construction, £ N. 
Fix an oracle function (7( Break0W '/) (y) making at most q < 2w queries to its oracles. Let W be the 
set which contains all permutations f G V for which both 

Pr [c( BreakOW </)(y) = /-Vy)] > 2~t , and (68) 

2/<-{0,l} n 

Vto,y*:|Q/, II ,, ir |<2w (69) 

holds. Then, ^ < 2~ 2?l/2 . 

Proof. As in [GGKT05] . we find an encoding of / which is 2 a bits shorter than log(2 n !) (the 
minimal length of a bitstring needed to describe an arbitrary permutation on 2 n elements). The 
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encoding has the property that / can be recovered (given C) from it. Actually, it is somewhat 
easier to describe the encoding simply as a injective function J- mapping onto a set with fewer than 
(2 n l)2~ 2n/2 elements, which is of course equivalent. 

Fix some function / which satisfies both (|68p and (I69p . We first find a large subset S of the 
images of /, which has the property that T does not need to describe how / maps elements of 
f~ 1 (S) to S, and yet T will be injective. For this, we first modify C such that whenever it queries 
v = BieakOW^ (w), it afterwards evaluates g^\v) on the result (unless BreakOW returned _L). 
Then, the following algorithm outputs S. 



Algorithm BuildSets(/) 



Modify C as in the text 

/:={y:C (Br e akOW,/) (y)=r l (y)} 

while / ^ do 

y* <— I /An arbitrary element of / 

S:=SU{y*} 

Let Q be the answers of / to the queries done by C( BreakOW '-^(y*). 
for x* G {0, l} n do 

/ := / (x*,y*) 

if there is w such that C^ BleakOW 'f\y*) calls BreakOW (/) (to) and 
BreakOW (/) (w) / BreakOW (r) (u;) then 
Q := QUQueryY(#,BreakOW (r) (u;),/) 
I:=I\(QU{y*}) 
return S 



We show that \S\ > s := 2 n/io 2 S+r2"A'>+i - First ' from ® we see that l J l ^ 2 ^r ■ We 
claim that for each y, Q has size at most \Q\ < 2iu2s + r2w when it is removed from /. We get 
this since C makes at most 2io calls to BreakOW(w), and Lemma [T5l implies that for each of these 
calls, there can be at most 2s" elements x* for which BreakOW^ \w) ^ BreakOW^ (to). Further, 
g makes at most r2w calls to / (due to our modification above this is a bit larger than 2io). 

Let now S' C S be some subset of size s, set t = 2 n — s, and let xq, . . . , xt-i be the elements 
of {0, l} n which are not preimages of elements in S' , in lexicographic order. We show in the 
next paragraph that the map T which maps / h4 (xo, f(xo), ■ ■ ■ , %t-i, /(^t-i)) is injective. The 
number of possible images can be counted by first considering the possible sets {xo, . . . , xt-i) and 
{/(xo), • • • , f(xt-i)} (there are ( 2 t ) = ( 2 S ) of those) and then considering the t\ permutations from 
the first to the second set, which shows that 

iwi /2»y^=ru<f^y<^. (to) 



\V\ ~ V s J 2 " ! \s J si ~ \ s 2 

It remains to show that the map is injective. To see this, suppose that fi ^ f% satisfy ^"(/i) = 
T{f 2 ). Then, ft\y) = ft\y) for all y for which fr\y) f c(BrcakOW,/ l)(y) (the pair (f-\ y ) )y ) 
appears in Tifi), and so it must also appear in J r (f2))- Since this holds analogous for f 2 , there 
must be (x 1 ,x 2 ,y) such that x x = c( BreakOW ^)(y) = f^(y) ^ f^{y) = C<(BrcakOW,/ 2 )( y ) = X2 _ 

Since the two answers of C(y) differ in the two runs, there must be some call of C to an oracle 
with the same input, but for which the two answers differ. This cannot be a call to the oracle f± or 
f 2 , as otherwise this call would appear in J-(fi) and in J-(f 2 ). Thus, it must be that some for some 
w we have V\ := BreakOW^ (u>) ^ BreakOW^ 2 \w) =: v 2 , and BreakOW(io) is actually called by 
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C in both experiments. Suppose without loss of generality that v\ occurs first in the enumeration 
within BreakOW. Then, one of the queries which g^\vi) does must have answer y, as otherwise 
all elements of Query(<?, v±, f\) would appear in Tift), and so BreakOW {w)^{w) = vi as well. 
Thus, one of the answers was y, and since the other answers appear in J-~(/i), $2 and f\ behave 
the same for these answers. But this implies that BreakOW^ ^ BreakOW^ 2 \w), where 
f% = {f2)x 1 ,y, and so (x±, 72(2:1)) must appear in J-X/2), which contradicts ^(fi) = J r (f2)- D 

7.2 Non-uniform black-box separation 

We can now prove Theorem [61 which we restate for convenience. 

Theorem 6. Let r(k), s(k), n(k) be given, and assume r(k) < ioook>g(s(fc)) f or infinitely many 
k. Then, there is no non-uniform security parameter restricted fully black-box construction of 
a pseudorandom generator from a one-way function with security s which has the property that 
g(k,v) does at most r(k) calls to f(k, ■). 

Proof. As previously, we use Theorem [9] and thus assume we have a non-uniform fully black-box 
reduction which yields a pseudouniform one-way function. 

Thus, we suppose we are given (g, A). Again we set n{k) := n'(k) := k, and let m(k) be the 
input length of g as provided by the reduction. Let r(k) the number of calls to /. As before we 
assume that £ N, and modify g so it is normalized. 

For all k with r(k) > iQQQ\og(s(k)) we ^ Breaker^ be the function which always outputs and 
fk a permutation which is one-way against circuits of size 2"5, which exists by |GGKT05] , 

Otherwise, we consider p{gk)- If p(gtt) > \ we set Breaker^ to be BreakOW. Lemma fl2l again 
implies that BreakOW helps to invert g, but now we apply Lemma [241 and the union bound to get 
a function which is hard to invert for all h k . 

If p(fffc) < 5, Lemma [IT] gives a set W k C {0, l} m ^ and y k C {0, l} n ^ for which the output 
of is likely distinguished from uniform by BreakPU. 

Writing the function / as / = ir o p for some a random permutation ir on y and a regular 
function p : {0, l} n — > y we can apply Theorem 1 of |GGKT05] (which also holds if the circuit has 
oracle gates to BreakPU). We can thus find a function which is hard for A and any advice string 
hk, and yet the output will be distinguished from uniform. □ 

8 Non-security parameter restricted constructions 
8.1 Fixing the polynomial in the construction 

Suppose that we have given a black-box construction (g, A) of a pseudouniform one-way function 
from a one-way function together with its security reduction. The requirement on the efficiency of 
the construction is that for every choice of (/, Breaker), both g and A should run in polynomial 
time. In other words, for any (/, Breaker) there should be c 6 N such that f(k, ■) and Breaker(/c, •) 
run in time k c . Note that c can depend on / and Breaker. 

There do exist constructions (g,A) which are polynomial for any (/, Breaker), but where c 
indeed depends inherently on the oracle0 However, it turns out that it is always possible to fix 

11 An example follows: suppose the function g(k, v) first queries /(0, 0), /(l, 0), . . . , /(log(^), 0). If all answers were 
the 0-string, execute some algorithm which runs in linear time. Otherwise, let c' be the index of the first answer 
which differs, and execute an algorithm which runs in time k c +1 . 
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finitely many outputs of the oracles / and Breaker such that after fixing these, c is independent of 
the choice of the remaining positions. 

A prefix (/*, Breaker*) is simply the truth table for these oracles for lengths up to some integer 
ko; oracles (/, Breaker) agree with the prefix if their truth table up to length ko equals the one 
given by the prefix. A prefix {f^ 2 \ Breaker ( 2 )) extends a prefix (/^\ Breaker ^^) if the truth table 
of (/( 2 ),Breaker (2) ) is larger than the truth table of {f^ l \ Breaker ^'), and they agree everywhere 
where (f^\ Breaker is defined. 

Lemma 25. Suppose a black-box reduction (g^\ ^(Breaker,/) ^ ^ s given, and fix some length function 
n(k). There exists a prefix (/*, Breaker*) and c E N such that for any pair (/, Breaker) which agrees 
with (/*, Breaker*) we have the following properties: 

1. g^(£, ■) makes at most £ c queries to f(k, ■), and all of these queries satisfy k < £ c 

2. ,4( Brcaker '^0,u>) makes at most k c queries to Breaker(£, •), and all of these queries satisfy 
£<k c 

3. A( BrcakcT, f\k,w) makes at most k c queries to f(k', •), and all of these queries satisfy k' < k c . 

Proof. Suppose not, let d € N, and suppose we have given any prefix (f( d \ Breaker^). Then, 
there exists a pair (/, Breaker) of oracles which agree with (f^ d \ Breaker ^) and where one of 1, 
2, or 3 is violated for c = (d + 1). Fix a length k for which this is violated, and find a prefix 
(/(<*+!) ) Breaker ( d+1 )) of (/, Breaker) such that all queries done for up to security parameter k are 
fixed in the prefix. 

Thus, there is an infinite sequence of prefixes {(/W, Breaker W )}i> such that (f( i+1 \ Breaker ( i+1 )) 
extends (/®, Breaker®), and for any d € N there is an input which violates one of the conclusions 
of the lemma. 

Clearly, such an infinite sequence defines a pair (/, Breaker) for which (g, A) is not polynomial. 

□ 

8.2 Excluding general reductions 

We now come to the proof of Theorem [71 which we restate for convenience. 

Theorem 7. Fix a length function n(k). Let (g,A) be a fully black-box construction of a pseudo- 
random generator from a regular one-way function. Then, there is an oracle f for which 

r f £ n( n j - ) . (7) 
} Vlog(np/ V ; 

Preparations for the proof As before, we prove the analogous statement for pseudouniform 
one-way functions. Also, we assume that the theorem is not true, and that we have given (g,A), 
and show that we can find oracles (/, Breaker) which contradict the assumption that (g, A) is a 
fully black-box construction. 

We can assume that g(£,v) never queries f(k,x) twice for any (k,x). Also, we use Lemma 1251 
which fixes a prefix for (/, Breaker) and gives us a constant c for which the properties in Lemma [25] 
are satisfied, we will use this constant throughout the proof. 

We now choose ko and set £q = k$ such that neither f(ko, •) nor Breaker (£q, •) has been defined 
by Lemma l25l Furthermore, define all oracles Breaker {£, ■) for £ < £q which have not been defined 
yet to oracles which do nothing (i.e., constantly output _L). Analogously, define all oracles f(k, •) 
for k < ko which have not been defined yet to random permutations of length n(k). 
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Next, we pick a constant c for later. We require that it satisfies that for any k G {i 1 ' , ■ ■ ■ ,£ c } 
we have ^ 1//c < n(k) < £ c ; this is possible because n(k) is a length function. 

Overview and some basics of the proof In the main part of the proof, we define the oracles 
Breaker (£, •) and f(k, •). We essentially use one iteration for each £, and increase £ over time. At 
the beginning of iteration £, we will have defined the oracles Breaker(l, •),..., Breaker(£ — 1, •) and 
f(k, •) for any k < £ l l c . 

At this point, we enumerate each n which is possibly the length of the shortest query made by 
g(£, •), ignoring the length of those for which f(k, •) has been defined already. 
For each such n, we consider the probability 



qi n := Pr 



g^fl (£, v) queries / on security parameters k > £ x l c a total of at most 
rflo ^ n ^ times, and for all these queries f(k, •) we have n(k) > n 



where f(k, ■) is chosen as random permutation for any k > £ 1 ^ c . The parameter d will be defined 
later, and is slowly growing as £ — > oo. 

We then distinguish two cases: The first case is if q^ n < £~ c ~ 2 for all n. 

In this case, we define Breaker(£, •) := _L, so that it does nothing on this length, increase £, and 
go to the next iteration. We will show that infinitely often q^ n must be larger than £~ c ~ 2 for some 
n, as otherwise we can obtain an oracle (/, Breaker) for which rj £ £l(nj / log(nJ )). 

The second case is more interesting: there is n for which qi^ > £~ c ~ 2 . 

In this case, we know that with some polynomial probability, g(£, •) will only make few queries. 
We would like to apply the previous machinery, but cannot do so directly: g possibly makes more 
than h/d\og{n) many queries for some oracle /, and possibly queries / on input lengths shorter 
than h for some oracle /. 

Also (and this is the problem we fix first), the previous machinery only allows g to make queries 
to one fixed input length n, whereas g may query / with many different parameters k for which 
n(k) > h. 

To solve this, we use the following idea: underlying to f(k, •) could in fact be a single one-way 
function / : {0, l} n — > {0, l} n for many different values of k, so that f(k, x) = Sk(f(Pk( x ))) f° r some 
simple to compute projection : {0, l} n ( fc ) — >• {0, l} n and some expansion Sk ■ {0, l} n — s> {0, l} n ( fc ). 

Thus, we pick uniform random injective functions P^ and uniform injective expansions Sk for 

each k for which n(k) > h. We then consider the construction §n ' ■ This construction is is 
defined as follows: 

(f f p s) 

The function g)i ' simulates g, except whenever g calls the oracle /. 

In case g calls f(k, x) for some k with k < £ 1 / c , the answer of f(k, x) is hard-coded into 
g (because / is already defined on these lengths). 

If g calls f(k,x) for some k with n(k) < h and k > £ l / c , then g calls f(k,x) as well. 

In case g calls f(k,x) for some k with n{k) > n, and k > £ l / c , g n instead calls 
S k (f(P k (x))). 

The function g behaves almost as g when / is chosen as a random permutation. The only exception 
is in the unlikely case that Pk(x) = Pk(x') for two queries (k,x) ^ (k,x') to /. 

The function g solves the last problem above, so that we get closer to apply the previous 
machinery. However, g still can make more than n/d log(n) queries to / or query / on shorter 
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inputs than h for some /. Thus, we consider the construction h, which is just like g, but has 
additional restrictions: 

Whenever g does more than h/d\og(n) calls, h simply stops and outputs (v,-L). 
Whenever g does a call to f(k, •) with n(k) < h and k > /co, h stops and outputs (v, J_). 

We note that h does not need to call the oracle / at any time anymore. 

As long as d — > oo for £ — > oo, the results from the previous sections will guarantee that breaking 
the pseudouniformity of h does not help inverting /. The main difficulty is that h may behave very 
differently from g. However, we can note that 

. Pr [hf^(v) = gf^ s (v)} > W., ~ f (71) 

because as long as no two queries to -Pfc(-) collide in the evaluation of g, each query will be answered 
with a uniform random answer, and so g and g will behave exactly the same. 

We are now interested in the probability that BreakOW inverts a random image of g. To 
apply the previous machinery, we want to instantiate BreakOW using h. Thus, we consider the 
probability 

Pin'- Pr [SafeToAnswer^(/i / " p " s (?;),QueryY(/i,/,t;)) A (72) 

f,P,S,v,f 

y^( V ) = ~gf>f> P > S ( V )] . 

Here, SafeToAnswer is instantiated using h instead of ql^l 

We will then show that we can do a similar case distinction pi^ as we did in the previous 
sections on p{g). This will allow us to build oracles (f(k, •), Breaker(£, •)) where Breaker(£, •) breaks 
the construction on this length. 

After this, we set Breaker (£' , •) := _L for i < £' < i c , which ensures that there is no problem 
because different lengths are interfering with each other. We then go to the next iteration for which 
Breaker(£, •) is not yet defined. 

Building the oracles We now describe a randomized procedure which builds oracles / and 
Breaker by building a sequence of extending prefixes (as in the proof of Lemma [25]) . After this, we 
prove that the oracle arising from this sequence has the required properties with probability 1. 



Algorithm GenerateOracles 

Fix Breaker and / up to some length using Lemma [25l then ensure that 
f(k,-) is defined up to security parameter ko for some ko, and that 
Breaker (£, •) is defined up to fcg. 

d := 1 

£ := smallest £ for which Breaker^, •) has not yet been defined 
do forever 

/ We define Breaker (£, ■) in this iteration 

if Vn G {£ 1/5 , . . . , £ £ }: q e , n < £~ {b+2) then 



1 Strictly speaking, to instantiate SafeToAnswer we should give it a function h which only uses the oracle /, but 
not oracles P and S. For that purpose, one can think of P and S as being hardcoded into h. 
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Breaker(£, •) := _L /Breaker will not help on this length 

if 3k G N : k c = £ then 

f(k, ■) <— Il n (fc) //A random permutation on n{k) bits 

else 

let n be such that q^ > ^ _ ( c + 2 ) 
if P£,n < \r {£+2) then 

try at most £ c+3 times 
BuildPUBreaker(£, h) 
stop if Breaker (£, •) has distinguishing advantage at least £~( c+3 \ 
otherwise roll back the changes and try the loop again 

else 

try at most £ c+3 times 

BuildOWBreaker(^, n) 
stop if Breaker (£, •) inverts g with probability at least £~( c+3 \ 
otherwise roll back the changes and try the loop again 

fi 

d := d+ 1 
£:=£ + ! 



procedure BuildPUBreaker(£, n) 
r : = n/d\og{n) 

Pick y C {0, 1}", \y\ = 2"/ 100r u.a.r. 

for each k G {i 1 ^ , • • • , £ c } with n(k) > h do 

pick a regular function P k : {0, l} n ( fc ) — ► {0, l} n u.a.r. 

pick an injective function S k : {0, l} n — > {0, l} n ( fe ) u.a.r. 
/ At this point, h and y are defined 

Obtain W (using h as underlying function) as in Lemma [T71 
Breaker^, •) := BreakPU(W) 
Pick a regular function / : {0, l} n —> y u.a.r. 
for each k G {^ 1/c , . . . , £ c } do 
if n(k) > h then 

f(k, •) :=S k ofoP k 

else 

/(&,-) ^n n(fc) 

for f G {£ + !,... ,£ c2 } do 

Breaker (f, •) := ± 
£ := £° 2 + 1 



procedure BuildOWBreaker(£, n) 
r := n/d\og{n) 

for each G {£ l ^ c , ■ ■ ■ ,£ c } with n(k) > h do 

pick a regular function : {0, l} n ( fc ) — > {0, l} n u.a.r. 
pick an injective function S k : {0, l} n — >■ {0, l} n ( fe ) u.a.r. 

II At this point, h is defined 

Breaker^, •) := BreakOWj^(-) 

Pick a permutation / : {0, l} n — > {0, l} n u.a.r. 
for each k G {£ x l c , . . . , £ c } do 
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if n(k) > n then 

f(k, •) :=S k ofoP k 

else 

f(k, •) <- n n(fc) 

for f G + ,^ c2 } do 
Breaker (f, •) := 1 

£ := £ c2+1 

Clearly, GenerateOracles defines an infinite sequence of prefixes (f^\ Breaker ^'), and as before 
we can extend that to a single oracle (/, Breaker). Analogously, we can extend events which are 
defined on prefixes to an infinite sequence of events. 

We next explain how these procedures make their random choices. For this we assume that for 
each k G N, a permutation f{k, ■) is picked. Whenever GenerateOracles executes the assignment 
f(k,-) ^— n n (fc) (in the part where it defines Breaker(£, •) := _L, it assigns f(k,x) := f(k,x)). We 
can imagine these permutations to be picked before GenerateOracles is executed (in that way, we 
can talk about future assignments). 

Also, for each £ and each k G {^ 1//c , ■ ■ ■ ,£ c }, we pick £ c+3 choices for S k , P k . Also, for each 
possible n we pick £ C+?J choices for /. Then, in the ith iteration, we simply assume that the ith 
such choice is used. As with /, this is useful in order to argue about future assignments. 

Lemma 26. Consider an execution of the algorithm GenerateOracles. For each £, let Ng be the 
event that the else clause of algorithm GenerateOracles is executed on iteration £. 
Then, with probability 1, infinitely many events Ng occur. 

Proof. We let di be the random variable which takes the value of d in the £th iteration of Genera- 
teOracles. 

For each £ and each n G {1,... ,£ c } we now define an event Bg^ n . For this event, we stop 
the normal execution of GenerateOracles at loop £, and instead extend / using / exclusively (i.e., 
fill everything with the random permutations we picked before). We then let Bg^ n be the event 
which occurs if rj < n/(dg log(n)) and nj = n in this extension. Clearly Pr[i?^ n A ->Ng] < 

Pr[Be,nhN e ] < £~^ +2 \ because in case we extend with random permutations, qi^ n is defined 
exactly as the probability that the event B^^ n occurs. 

Thus, J2e n <£ s P r [^,n A — iJVg] < oo, and so by the Borel-Cantelli lemma, {B^ n A ->Ni) happens 
for infinitely many £ with probability 0. 

Now, suppose that in some execution only finitely many events Bf> n happen. Then we found 
an oracle for which rj G Q(nJ / log(nJ)) , because in this case we do extended only using / starting 
from some fixed length. 

Therefore, in all executions infinitely many events i?^ n happen, and so the event Ng must 
happen for infinitely many £ with probability 1. □ 

Lemma 27. Suppose that > £~( c+2 \ pg^ < ^£~( c+2 \ d > 2c, and £ is larger than some 
constant in an execution of the loop in algorithm GenerateOracles. 

Then, with probability at least \£~^ c+2 \ after a single call to BuildPUBreaker(£, n) , the oracle 
BreakPU(£, •) has advantage at least |£ - ( c+2 ) in distinguishing g(£,v) from a uniform random 
string. 

Proof. We first notice that Pr w ^_| u m (i) [BreakPU(£, w) = 1] is negligible: Lemma [T7] gives a set 
W of size at most 2 m ^~iBo and h > £~ c . 
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We next show that 

Pr [gf'>f> p > s (v) eW}> -£^ , (73) 
v,f',f,P,S 3 

where /' is chosen as a random function /' : {0, l} n — > y, for y of size 2 n / 100r chosen uniformly at 
random. From (j73|) we get the lemma by applying Markov's inequality. 
To see (|73|) . we use that 

Pr [gf'>f> p > s (v)eW}> Pr \gf>f> p > s (v) G W] - , 

v,fj,p,s vjj,p,s \y\ 

where / € Vfi is a uniform random permutation on n bits: this follows as in the proof of Lemma [T71 
We now see that 

Pr [gf'f> p ' s (v) G W] 
v,f,f,P,S 

> Pr [h f ~> p ' s {v) eWA U' p ' s (v) = g f ' J ' P ' S (v)} 
v,f,f,P,S 



> Pr 

v,f,f,P,S 



^SafeToAnswer~ h Ch f ~' P ' S (v),QueryY(h,f,v))) A h^' P ' S (v) = g?>f> p > s (v) 



due to the definition of W in the proof of Lemma [TTJ 

~ 2 

Using (fTTj) , we see that this last probability is at least qe t n — pe : n — , which gives (|73|) , and 
therefore the lemma. □ 

Lemma 28. Suppose that pg^ > ^£~( c+2 \ Then, with probability at least j£~( c+2 \ after a call to 
BuildOWBreaker(£,h), the oracle BreakOW will invert g(£,v) with probability at least j£~( c+2 \ 

Proof. Consider, for fixed (/, /, P, S) the probability that 

p' := PrfSafeToAnswerr (h f ~> P ' S (v), QueryYCh, f, v)) A U> p > s (v) = gf>f' P > s (v)] . (74) 

We know that p efi = Ef PS / |j/] > \£~ { ~ c+2) . Thus, with probability j£" (£+2) , p' is at least \£~^ +2 \ 
Now, after BreakOW fixed /, /, P, S, in case p' > 4i l+-2 , it is clear that BreakOW will invert g with 
this probability (because for any w which is chosen as w = g(v), h has no preimages of w which g 
does not have, and BreakOW will at least find the preimage v for h). □ 

Lemma 29. With probability 1, the probability that A(k, •) inverts f(k, •) is a negligible function 
in k. 

Proof. Let -Bfc,a be the event that A{k, ■) inverts f(k, •) with probability at least k~ a . We show 
that for any a G N, with probability 1, finitely many events B^ a happen. By the Borel-Cantelli 
lemma it is enough to show that Pr[£?fc j( J < oo for any a. For this, it is clearly enough to show 
that Pr[Sfe a ] is a negligible function in k for any a. 

To show this, we distinguish cases. First, consider the case that f(k, •) is picked as a random 
permutation in GenerateOracles, i.e., the case where where qi t7l < £~( c+2 ) for all n and k c = £. 

All oracles Breaker(£, •) which A(k, •) can possibly access are fixed before f(k, •) is chosen, and 
so we can ignore them. The same holds for all oracles f(k', •) for k' < k. 

However, A can also access f(k', •) for k < k' < k c . These are picked later, and the distribution 
can depend on f(k, •). 
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Luckily, there is only a polynomial number of possibilities how the functions f(k', •) for k < 
k' < k c will be chosen in the end. To see that, note that we can specify how all of these f(k', •) are 
chosen by specifying 

• the integer I £ {k c , . . . ,k c } for which the algorithm GenerateOracles uses the else clause, in 
case there is one (note that there is at most one) 

• the integer n which GenerateOracles uses in this case 

• whether GenerateOracles uses BuildPUBreaker or BuildOWBreaker, 

• and which of the at most £ c+s iterations is used in the end. 

Once we have specified these numbers, we see that we know which of the choices for Sk,Pk, f, and 
so on are used to pick f(k', •) for all these k' . 

We can now simply check whether A(k, •) inverts f(k, •) with probability k~ a for any of these 
random choices. Since this probability is negligible, we apply the union bound and get the result 
in this case. 

The same argument works in case f(k, •) is picked from n n ^.) in either BuildOWBreaker or 
BuildPUBreaker (because n{k) < h). 

Thus, consider the last case where f(k, •) is set to o f o P k in either BuildOWBreaker or 
BuildPUBreaker. Then, for any intertion we consider the breaker which tries to invert / by first 
inverting Sk, then running A{k, •), and then applying on the result. The probability that this 
algorithm inverts / in any of the at most l c iterations of BuildPUBreaker or BuildOWBreaker is 
negligible (by the previous sections), and so we get the result in this case as well. □ 

Finishing the proof We can now finish the proof of Theorem [7J 

First, we see that with probability 1 the oracles (/, Breaker) generated are such that Breaker 
either infinitely often breaks the one-wayness or the pseudouniformity of g: first, due to Lemma [26] 
we see that we will infinitely often attempt to construct Breaker in one of the two ways, and by 
either Lemma [27] or Lemma [28] we see that the probability that this only works finitely many times 
is (again using Borel-Cantelli). By Lemma [29] we see that / will be one-way for A, which proves 
the result. 
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